Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

What are signatures 50010, 50011?

I've just noticed since update of my sensor and MC to S235, that there are two new signatures 50010 WORM_SOBER and 50011 WORM_MYTOB. Are these related to the ICS OpSig signatures 50001, 50002 as there doesn't appear to be any info on them? Can I disable them if not using ICS?

Cisco Employee

Re: What are signatures 50010, 50011?

Signature 50000.0, 50000.1, and 50000.2 should be left defaulted in your setup...which is disabled.

They are used by the Cisco Incident Control Server (CICS) system to apply what is called an OpACL. An OpACL is a coarse-grain filter on ICMP, UDP, or TCP (see the 3 subsigs, one per protocol) packets. It is used by the Outbreak Prevention service to filter traffic on ports being used by a worm for propagation, communication, etc.... They will be tuned by the CICS when it recieves notification of an outbreak. This service is an extra feature that you can purchase; it is otherwise disabled and has no effect on the sensor. If you had the service and an outbreak was declared, the system would be triggered to tune the appropriate 50000 sub signature to block traffic on the propgation channels while a fine-grained, higher fidelity signature (an OpSig) was developed and automatically deployed to your sensor. At that time, the coarse-grained OpACL would be disabled. The purpose here being an extremely fast (minutes) response while a more time consuming (hours), better response is developed.

Now, 50002, since the question always gets asked anyway: This was a signatures that Trend requested to go out with their first updates (V1.0). This was for customers who run ICS so they can test their setups. It is very similar to the eicar virus test signature.

50010, 50011, Those are a "by-product" of ICS... basically, we (the signature team) will roll the virus updates into a later sigupdate. They are virus specific, you can leave them enabled, there's really no harm.

However, thanks for bringing this up to our attention... we'll look at linking the signatures in an upcoming sigupdate.